Developers can write and deploy code on LabKey Server. This topic describes the roles that can be granted to developers.
The Platform Developer
role allows admins to grant developer access to trusted individuals who can then write and deploy code outside the LabKey security framework. By default, the Developer group is granted this role on a site-wide basis. When that code is executed by others, it may run with different permissions than the original developer user had been granted.
The Platform Developer
role is very powerful because:
- Any Platform Developer can write code that changes data and server behavior.
- This code can be executed by users with very high permissions, such as Site Administators and Full PHI Readers. This means that Platform Developers have lasting and amplified powers that go beyond their limited tenure as composers of code.
Administrators should (1) carefully consider which developers are given the Platform Developer role and (2) have an ongoing testing plan for the code they write. Consider the Trusted Analyst
roles as an alternative on Premium Editions of LabKey Server.
Grant the Platform Developer Role
To grant the platform developer role, an administrator selects (Admin) > Site > Site Permissions
. They can either add the user or group directly to the Platform Developer
role, or if the Developers
site group is already granted this role (as shown below) they can add the user to that group by clicking the "Developers" box, then adding the user or group there.
Platform Developer Capabilities
The capabilities granted to users with the Platform Developer role include the following. They must also have the Editor role in the folder to use many of these:
- View session logs
- Turn logging on and off
- Share private reports
- Create R reports on data grids
- Customize participant views
- Access the Developer tab in the plot editor for including custom scripts in visualizations
- Export chart scripts
- Schemas and Queries:
- Create/edit/delete custom queries in folders where they also have the Editor role
- View raw JDBC metadata
- Create tours
- Developer Tools:
- More verbose display and logging
- Developer Links options on the (Admin) menu
- Use of the mini-profiler
Developer Site Group
One of the built in site groups is "Developer". This is not a role, but membership in this group was used to grant access to developers prior to the introduction of the platform developer role. By default, the Developers site group is granted the platform developer role.
Developer Links Menu
Developers have a access to additional resources on the (Admin)
Select Developer Links
for the following options:
Depending on the modules installed, there may also be additional options included on this menu, such as:
— The Trusted Analyst and Analyst roles are available in all Premium Editions of LabKey Server. Learn more
or contact LabKey
The role Trusted Analyst
grants the ability to write code that runs on the server in a sandbox
is a software management strategy that isolates applications from critical system resources. It provides an extra layer of security to prevent harm from malware or other applications. Note that LabKey does not verify security of a configuration an administrator marks as "sandboxed".
Code written by trusted analysts may be shared with other users and is presumed to be trusted. Admins should assign users to this role with caution as they will have the ability to write scripts that will be run by other users under their own userIds.
To set up the Trusted Analyst role:
- Set up a sandboxed script engine in a folder.
- In the same folder, give the Editor role to the desired script/code writers.
- Go to (Admin) > Site > Site Permissions and give the Trusted Analyst role to the desired script/code writers.
Trusted analysts also have the ability to create/edit/delete custom queries in folders where they also have the Editor role.
The role Analyst
grants the ability to write code that runs on the server, but not the ability to share that code for use by other users. For example, an analyst can use RStudio
if it is configured, but may not write R scripts that will be run by other users under their own userIDs.